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Ch ! Abstract 

Using ideas from automata theory we design a new efficient (deterministic) identity test for the 
' noncommutative polynomial identity testing problem (first introduced and studied in IRS 05 1 IBW05I ). 

More precisely, given as input a noncommutative circuit C{xi, ■ ■ ■ ,Xn) computing a polynomial in 
y s" F{a;i,--- , Xn} of degree d with at most t monomials, where the variables a;,: are noncommuting, we give 

, a deterministic polynomial identity test that checks if C = and runs in time polynomial in d, n, |C|, 

V—) ■ and<. 

C/3 , The same methods works in a black-box setting: Given a noncommuting black-box polynomial / G 

I ^ I ' F{a;i , • • ■ , a;„ } of degree d with t monomials we can, in fact, reconstruct the entire polynomial / in time 

polynomial in n, d and t. Indeed, we apply this idea to the reconstruction of black-box noncommuting 
algebraic branching programs (the ABPs considered by Nisan in |N9r| and Raz-Shpilka in fRSOSl). 
Assuming that the black-box model allows us to query the ABP for the output at any given gate then we 
can reconstruct an (equivalent) ABP in deterministic polynomial time, 
ly^ , Finally, we turn to commutative identity testing and explore the complexity of the problem when the 

• coefficients of the input polynomial come from an arbitrary finite commutative ring with unity whose 
elements are uniformly encoded as strings and the ring operations are given by an oracle. We show 

• that several algorithmic results for polynomial identity testing over fields also hold when the coefficients 
OO , come from such finite rings. 
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1 Introduction 



O 

> 

X 

■ Polynomial identity testing (denoted PIT) over fields is a well studied algorithmic problem: given an arith- 

metic circuit C computing a polynomial in F[xi, 2:2, • • • , x„] over a field F, the problem is to determine 
whether the polynomial computed by C is identically zero. The problem is also studied when the input 
polynomial / is given only via black-box access. I.e. we can evaluate it at any point in F" or in F'" for a 
field extension F' of F. When / is given by a circuit the problem is in randomized polynomial time. Even 
in the black-box setting, when |F[ is suitably larger than deg(/), the problem is in randomized polynomial 
time. A major challenge it to obtain deterministic polynomial time algorithms even for restricted versions 
of the problem. The results of Impagliazzo and Kabanets liKI03l show that the problem is as hard as prov- 
ing superpolynomial circuit lower bounds. Indeed, the problem remains open even for depth-3 arithmetic 
circuits with an unbounded S gate as output I DS()5llKS071 . 

As shown by Nisan IIN91II noncommutative algebraic computation is somewhat easier to prove lower 
bounds. Using a rank argument Nisan has shown exponential size lower bounds for noncommutative for- 
mulas (and noncommutative algebraic branching programs) that compute the noncommutative permanent or 
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determinant polynomials in the ring Fjxi, • • • , x„} where Xi are noncommuting variables. Thus, it seems 
plausible that identity testing in the noncommutative setting ought to be easier too. Indeed, Raz and ShpiUca 
in [RS051 have shown that that for noncommutative formulas (and algebraic branching programs) there is 
a deterministic polynomial time algorithm for polynomial identity testing. However, for noncommutative 
circuits the situation is somewhat different. Bogdanov and Wee in IIBW05II show using Amitsur-Levitzki's 
theorem that identity testing for polynomial degree noncommutative circuits is in randomized polynomial 
time. Basically, the Amitsur-Levitzki theorem allows them to randomly assign elements from a matrix 
algebra Mfc(F) for the noncommuting variables Xi, where 2k exceeds the degree of the circuit. 

The main contribution of this paper is the use of ideas from automata theory to design new efficient 
(deterministic) polynomial identity tests for noncommutative polynomials. More precisely, given a noncom- 
mutative circuit C{xi, • • • , x„) computing a polynomial of degree d with t monomials in F{xi, • • • , Xn}, 
where the variables xi are noncommuting, we give a deterministic polynomial identity test that checks if 
C = and runs in time polynomial in d, |C|, n, and t. The main idea in our algorithm is to think of the 
noncommuting monomials over the Xi as words and to design finite automata that allow us to distinguish 
between different words. Then, using the connection between automata, monoids and matrix rings we are 
able to deterministically choose a relatively small number of matrix assignments for the noncommuting 
variables to decide if C = 0. Thus, we are able to avoid using the Amitsur-Levitzki theorem. Indeed, using 
our automata theory method we can easily an alternative proof of (a weaker) version of Amitsur-Levitzki 
which is good enough for algorithmic purposes as in fBW05ll for example. 

Our method actually works in a black-box setting. In fact, given a noncommuting black-box polynomial 
/ € F{xi, • • • , Xn\ of degree d with t monomials, which we can evaluate by assigning matrices to Xi, we 
can reconstruct the entire polynomial / in time polynomial mn,d and t. 

Furthermore, we also apply this idea to black-box noncommuting algebraic branching programs. We 
extend the result of Raz and Shpilka [RS05 1 by giving an efficient deterministic reconstruction algorithm for 
black-box noncommuting algebraic branching programs (wherein we are allowed to only query the ABP for 
input variables set to matrices of polynomial dimension). Our black-box model assumes that we can query 
for the output of any gate of the ABP, not just the output gate. 

We now motivate and explain the other results in the paper. Recently, in IIAM07II we studied PIT (the 
usual commuting variables setting) and its connection to the polynomial ideal membership problem. Al- 
though ideal membership is EXPSPACE-complete, there is an interesting similarity between the two prob- 
lems which is the motivation for the present paper. Suppose / C F[xi, • • • , Xn] is an ideal generated by 
polynomials gi, - ■ ■ ,gr G F[xi, • • • , Xk] and / G F[j;i, • • • , Xn]. We observe that / G / if and only if / is 
identically zero in the ring ¥[xi, • • • , Xk]/ I[xk+i, • • • , Xn]- Thus, ideal membership is easily reducible to 
polynomial identity testing when the coefficient ring is F[xi, • • • , Xk]/I- Consequently, identity testing for 
the coefficient ring F[2;i, • ■ ■ , Xk]/I is EXPSPACE-hard even when the polynomial / is given explicitly as 
a linear combination of monomials. 

This raises the question about the complexity of PIT for a polynomial ring R[xi, • • • , x„] where i? is a 
commutative ring with unity. How does the complexity depend on the structure of the ring Rl We give a 
precise answer to this question in this paper. We show that the algebraic structure of R is not important. It 
suffices that the elements of R have polynomial-size encoding, and w.r.t. this encoding the ring operations 
can be efficiently performed. This is in contrast to the ring F[xi, • • • , Xk]/I: we have double exponential 
number of elements of polynomial degree in ¥[xi, • • • , j;^] and the ring operations in F[xi, • • • , Xk]/I are 
essentially ideal membership questions and hence computationally hard. 

More precisely, we study polynomial identity testing for finite commutative rings R, where we assume 
that the elements of R are uniformly encoded as strings in {0, 1}™ with two special strings encoding and 
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1, and the ring operations are carried out by queries to the ring oracle. 

2 Noncommutative Polynomial Identity Testing 

Recall that an arithmetic circuit C over a field F is defined as follows: C takes as inputs, a set of indeter- 
minates (either commuting or noncommuting) and elements from F as scalars. If /, g are the inputs of an 
addition gate, then the output will be f + g. Similarly for a multiplication gate the output will be fg. For 
noncommuting variables the circuit respect the order of multiplication. An arithmetic circuit is a formula if 
the fan-out of every gate is at most one. 

Noncommutative identity testing was studied by Raz and Shpilka in IIRS05II and Bogdanov and Wee in 
IIBWOSi . In the Bogdanov-Wee paper, they considered a polynomial / of small degree over Fjxi, • • • , 
for a field F, given by an arithmetic circuit. They were able to give a randomized polynomial time algorithm 
for the identity testing of /. The key feature of their algorithm was a reduction from noncommutative identity 
testing to commutative identity testing which is based on a classic theorem of Amitsur and Levitzki IIAL50II 
about minimal identities for algebras. 

Raz and Shpilka |RS05| give a deterministic polynomial-time algorithm for noncommutative formula 
identity testing by first converting a homogeneous formula into a noncommutative algebraic branching pro- 
gram (ABP), as done in iNOTl . 

In this section we study the noncommutative polynomial identity testing problem. Using simple ideas 
from automata theory, we design a new deterministic identity test that runs in polynomial time if the input 
circuit is sparse and of small degree. Our algorithm works with only black-box access to the noncommuting 
polynomial, and we can even efficiently reconstruct the polynomial. 

We will first describe the algorithm to test if a sparse polynomial of polynomial degree over noncom- 
muting variables is identically zero. Then we give an algorithm that reconstructs this sparse polynomial. 
Though the latter result subsumes the former, for clarity of exposition, we describe both. Furthermore, we 
note that we can assume that the polynomial is given as an arithmetic circuit over a field F. 

In the case of commuting variables, MOTS 81 gives an interpolation algorithm that computes the given 
sparse polynomial, and thus can be used for identity testing. It is not clear how to generalize this algorithm 
to the noncommutative setting. Our identity testing algorithm evaluates the given polynomial at specific, 
well-chosen points in a matrix algebra (of polynomial dimension over the base field), such that any non-zero 
sparse polynomial is guaranteed to evaluate to a non-zero matrix at one of these points. The reconstruction 
algorithm uses the above identity testing algorithm as a subroutine in a prefix-based search to find all the 
monomials and their coefficients. 

We now describe the identity testing algorithm informally. Our idea is to view each monomial as a 
short binary string. A sparse polynomial, hence, is given by a polynomial number of such strings (and the 
coefficients of the corresponding monomials). The algorithm proceeds in two steps; in the first step, we 
construct a small set of finite automata such that, given any small collection of short binary strings, at least 
one automaton from the set accepts exactly one string from this collection; in the second step, for each of the 
automata constructed, we construct a tuple of points over a matrix algebra over F such that the evaluation of 
any monomial at the tuple 'mimics' the run of the corresponding string on the automaton. Now, given any 
non-zero polynomial / of small degree with few terms, we are guaranteed to have constructed an automaton 
A 'isolating' a string from the collection of strings corresponding to monomials in /. We then show that 
evaluating / over the tuple corresponding to A gives us a non-zero output: hence, we can conclude / is 
non-zero. We now describe both algorithms formally. 
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2.1 Preliminaries 



We first recall some standard automata theory notation (see, for example, IIHU781 ). Fix a finite automaton 
A = {Q, 5, go, Qf) which takes as input strings in {0, 1}*. Q is the set of states of A, 5 : Q x {0,1} ^ Q 
is the transition function, and qq and qf are. the initial and final states respectively (throughout, we only 
consider automata with unique accepting states). For each letter b € {0, 1}, let 6b Q ^ Q be the function 
defined by: 6b{q) = 6{q, b). These functions generate a submonoid of the monoid of all functions from Q 
to Q. This is the transition monoid of the automaton A and is well-studied in automata theory: for example, 
see IIStr94[ page 55]. We now define the 0-1 matrix Mb € fI'^I^IQI as follows: 



The matrix Mb is simply the adjacency matrix of the graph of the function db- As the entries of Mb are 
only zeros and ones, we can consider Mb to be a matrix over any field F. 

Furthermore, for any w = wiW2 ■ ■ -w^ € {0, 1}* we define the matrix to be the matrix product 
M^jM^2 • • • M^j.. If w is the empty string, define M^ to be the identity matrix of dimension \Q\ x \Q\. 
For a string w, let 6^ denote the natural extension of the transition function to w; if w is the empty string, 
6w is simply the identity function. It is easy to check that: 



Thus, is also a matrix of zeros and ones for any string w. Also, Myj{qQ, qf) = 1 if and only if w is 
accepted by the automaton A. 

2.2 The output of a circuit on an automaton 

Now, we consider the ring F{a;i, • • • , x„} of polynomials with noncommuting variables xi, - ■ ■ , x„ over a 
field F. Let C be a noncommutative arithmetic circuit computing a polynomial / G F{xi, ■ ■ ■ ,x„}. Let 
d be an upper bound on the degree of /. We can consider monomials over the noncommuting variables 
xi, - ■ ■ ,Xn as strings over an alphabet of size n. For our construction in Section 12.31 it is convenient 
to encode the variables Xi in the alphabet {0, 1}. We do this by encoding the variable Xi by the string 
Vi = 01*0, which is basically a unary encoding with delimiters. Clearly, each monomial over the Xj's of 
degree at most d maps uniquely to a binary string of length at most d{n + 2). 

Let A = {Q, 6, qo, qf) be a finite automaton over the alphabet {0, 1}. With respect to automaton A we 
have matrices M^^ € fI'^'^I'^' as defined in Section [ZTl where each Vi is the binary string that encodes 
Xi. We are interested in the output matrix obtained when the inputs Xj to the circuit C are replaced by the 
matrices M^^. This output matrix is defined in the obvious way: the inputs are \Q\ x \Q\ matrices and we do 
matrix addition and matrix multiplication at each addition (resp. multiplication) of the circuit C. We define 
the output of C on the automaton A to be this output matrix Mout- Clearly, given circuit C and automaton 
A, the matrix Mout can be computed in time poly(|C[, n). 

We observe the following property: the matrix output Mout of C on j4 is determined completely by the 
polynomial / computed by C; the structure of the circuit C is otherwise irrelevant. This is important for us, 
since we are only interested in /. In particular, the output is always when / = 0. 

More specifically, consider what happens when C computes a polynomial with a single term, say 
/(xi, • • • , Xn) = cxj^ ■ ■ ■ Xj^., with a non-zero coefficient c € F. In this case, the output matrix Mout 





(1) 
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is clearly the matrix cMy^^ ■ ■ ■ M^.^ = cMu,, where w = vj^^ ■ ■ ■ Vj^. is the binary string representing the 
monomial Xj^ ■ ■ ■ Xj^. Thus, by Equation [T] above, we see that the entry Mout{Qo,Qf) is when A rejects 
w, and c when A accepts w. In general, suppose C computes a polynomial / = X]i=i (^i^i with t nonzero 
terms, where Cj G F \ {0} and rrii = YYj=i ' where di < d. Let Wi = Vi^ ■ ■ ■ denote the binary string 
representing monomial nii. Finally, let S"^ = {i G {1, • • • , t} | A accepts Wi}. 

Theorem 2.1 Given any arithmetic circuit C computing polynomial f G F{xi, ■ • • and any finite 
automaton A = (Q, 6, qq, qj), then the output Mout ofC on A is such that MoutiQOi Qf) = X^jg^^ Cj. 

Proof. The proof is an easy consequence of the definitions and the properties of the matrices stated 
in Section HI] Note that Mout = f{My,r-- ,MyJ. But /(M„i,-- - , J = ELiCiM^^, where 
Wi = Vi-^ ■ ■ ■ f is the binary string representing monomial mj. By Equation[T] we know that M^^,. (go, Qf) 
is 1 if Wi is accepted by A, and otherwise. Adding up, we obtain the result. ■ 

We now explain the role of the automaton A in testing if the polynomial / computed by C is identically 
zero or not. Our basic idea is to try and design an automaton A that accepts exactly one word from among all 
the words that correspond to the non-zero terms in /. This would ensure that Mgutilo, Qf) is the non-zero 
coefficient of the monomial filtered out. More precisely, we will use the above theorem primarily in the 
following form, which we state as a corollary. 

Corollary 2.2 Given any arithmetic circuit C computing polynomial f G F{xi, • • • ,x„} and any finite 
automaton A = (Q, 6, qq, qj), then the output Mout ofC on A satisfies: 

(1) If A rejects every string corresponding to a monomial in f, then MoutiQo, Qf) = 0. 

(2) If A accepts exactly one string corresponding to a monomial in f, then MoutiQo, Qf) is the nonzero 
coefficient of that monomial in f. 

Moreover, Mout can be computed in time poly(lC|, |j4|, n). 

Proof. Both points (1) and (2) are immediate consequences of the above theorem. The complexity of 
computing Mout easily follows from its definition. ■ 

Another interesting corollary to the above theorem is the following. 

Corollary 2.3 Given any arithmetic circuit C over F{a;i, • • • , and any monomial m of degree dm, we 
can compute the coefficient ofm in C in time poly(|C|, dm,n). 

Proof. Apply Corollary 12.21 with A being any standard automaton that accepts the string corresponding to 
monomial m and rejects every other string. Clearly, A can be chosen so that A has a unique accepting state 
and 1^1 = 0{ndm). ■ 

Remark 2.4 Observe that Corollarv \2.3\ is highly unlikely to hold in the commutative setting F[xi, • • • , Xn]. 
For, in the commutative case, computing the coefficient of the monomial xi • ■ ■ x„ in even an arbitrary 
product of linear forms Hiii is at least as hard as the permanent problem over F, which is ^P-complete 
when F = Q. 
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Remark 2.5 Corollary \2.2\ can also be used to give an independent proof of a weaker form of the result of 
Amitsur and Levitzki that is stated in Lemma lA4l In particular, it is easy to see that the algebra M(i{^) of 
d X d matrices over the field ¥ does not satisfy any nontrivial identity of degree < d. To prove this, we will 
consider noncommuting monomials as strings directly over the n letter alphabet {xi, • • • Suppose 
f = Yll=i ^ ■ ■ ■ ,Xn\ is a nonzero polynomial of degree < d. Clearly, we can construct an 

automaton B over the alphabet {xi , • • • , x„} that accepts exactly one string, namely one nonzero monomial, 
say rriig, of f and rejects all the other strings over {xi, • • • , Xn}- Also, B can be constructed with at most d 
states. Now, consider the output Mout of any circuit computing f on B. By Corollary \2.2\ the output matrix 
is non-zero, and this proves the result. 

2.3 Construction of finite automata 

We begin with a useful definition. 

Definition 2.6 Let W be a finite set of binary strings and A be a finite family of finite automata over the 
binary alphabet {0, 1}. 

• We say that A is isolating /or W if there exists a string w €W and an automaton A € A such that A 
accepts w and rejects all w' \ {w}. 

• We say that A is an (m, s)-isoIating family if for every subset W = {wi, ■ ■ ■ , Ws} of s many binary 
strings, each of length at most m, there is a A A such that A is isolating for W. 

Fix parameters m,s £ N. Our first aim is to construct an (m, s) isolating family of automata A, where 
both |^[ and the size of each automaton in A is polynomially bounded in size. Then, combined with 
Corollary 12.21 we will be able to obtain deterministic identity testing and interpolation algorithms in the 
sequel. 

Recall that we only deal with finite automata that have unique accepting states. In what follows, for a 
string w G {0,1}*, we denote by the positive integer represented by the binary numeral Iw. For each 
prime p and each integer i G {0, • • • ,p — 1}, we can easily construct an automaton Ap^i that accepts exactly 
those w such that riw = i (mod p). Moreover, Ap-i can be constructed so as to have p states and exactly one 
final state. 

Our collection of automata A is just the set of Ap^i where p runs over the first few polynomially many 
primes, and i G {0, • • • ,p — 1}. Formally, let N denote (m + 2)(2) + 1; ,A is the collection of Ap^i, 
where p runs over the first N primes and iG{0,---,p — 1}. Notice that, by the prime number theorem, 
all the primes chosen above are bounded in value by A^^, which is clearly polynomial in m and s. Hence, 
1^1 = poly(m, s), and each A G ^ is bounded in size by poly(m, s). In the following lemma we show that 
A is an (m, s)-isolating automata family. 

Lemma 2.7 The family of finite automata A defined as above is an (m, s)-isolating automata family. 

Proof. Consider any set of s binary strings W of length at most m each. By the construction of A, Ap-i G A 
isolates W if and only if p does not divide riw- — for some j and all k ^ j, and n^^ = i (mod p). Clearly, 
if p satisfies the first of these conditions, i can easily be chosen so that the second condition is satisfied. We 
will show that there is some prime among the first primes that does not divide P = Ylj^kin^j — n^^). 
This easily follows from the fact that the number of distinct prime divisors of P is at most log \ P\, which is 
clearly bounded by (m + 2) (2) = N — 1. This concludes the proof. ■ 

We note that the above (m, s)-isolating family A can clearly be constructed in time poly(m, s). 
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2.4 The identity testing algorithm 

We now describe the identity testing algorithm. Let C be the input circuit computing a polynomial / over 
F{xi, • • • , Xn}- Let t be an upper bound on the number of monomials in /, and d be an upper bound on the 
degree of /. As in Section l2!2l we represent monomials over xi, • • • , x„ as binary strings. Every monomial 
in / is represented by a string of length at most d{n + 2). 

Our algorithm proceeds as follows: Using the construction of Section [231 we compute a family A of 
automata such that A is isolating for any set W with at most t strings of length at most d{n + 2) each. For 
each A ^ A, the algorithm computes the output Mout of C on A. If Mout for any A, then the algorithm 
concludes that the polynomial computed by the input circuit is not identically zero; otherwise, the algorithm 
declares that the polynomial is identically zero. 

The correctness of the above algorithm is almost immediate from Corollary 12.21 If the polynomial is 
identically zero, it is easy to see that the algorithm outputs the correct answer. If the polynomial is nonzero, 
then by the construction of A, we know that there exists A A such that A accepts precisely one of the 
strings corresponding to the monomials in /. Then, by Corollary I2.2[ the output of C on ^ is nonzero. 
Hence, the algorithm correctly deduces that the polynomial computed is not identically zero. 

As for the running time of the algorithm, it is easy to see that the family of automata A can be constructed 
in time poly(d, n,t). Also, the matrices for each A (all of which are of size poly(d, n,t)) can be 
constructed in polynomial time. Hence, the entire algorithm runs in time poly(|C|, d, n, t). We have proved 
the following theorem: 

Theorem 2.8 Given any arithmetic circuit C with the promise that C computes a polynomial f G 
F{xi, • • • , Xn} of degree d with at most t monomials, we can check, in time poly(|C|, d, n, t), if f is identi- 
cally zero. In particular, if f is sparse and of polynomial degree, then we have a deterministic polynomial 
time algorithm. 

In the case of arbitrary noncommutative arithmetic circuits, IIBW05II gives a randomized exponential 
time algorithm for the identity testing problem. Their algorithm is based on the Amitsur-Levitzki theorem, 
which forces the identity test to randomly assign exponential size matrices for the noncommuting variables 
since the circuit could compute an exponential degree polynomial. However, notice that Theorem 12 . 8 1 gives 
a deterministic exponential-time algorithm under the additional restriction that the input circuit computes 
a polynomial with at most exponentially many monomials. In general, a polynomial of exponential degree 
can have a double exponential number of terms. 

2.5 Interpolation of noncommutative polynomials 

We now describe an algorithm that efficiently computes the noncommutative polynomial given by the input 
circuit. Let C, /, t and d be as in Section [Z41 Let W denote the set of all strings corresponding to monomials 
with non-zero coefficients in /. For all binary strings w, let Ayj denote any standard automaton that accepts 
w and rejects all other strings. For any automaton A and string w, we let [A\yj denote the automaton that 
accepts those strings that are accepted by A and in addition, contain it; as a prefix. For a set of finite automata 
A, let [A]w denote the set {[^]^ | A G ^}. 

We now describe a subroutine Test that takes as input an arithmetic circuit C and a set of finite automata 
A and returns a field element a G F. The subroutine Test will have the following properties: 

(PI) If A is isolating for W, the set of strings corresponding to monomials in /, then a 7^ 0. 
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(P2) In the special case when |^[ = 1, and the above holds, then a is in fact the coefficient of the isolated 
monomial. 

(P3) If no A G ^ accepts any string in W , then a = 0. 
We now give the easy description of Test (C, ^) : 

For each A ^ A, the subroutine Test computes the output matrix M^^^ of C on A. If there is an 
A & A such that M^^{qQ,q^) ^ 0, then for the first such automaton A G A, Test returns the scalar 
a = M^^{qQ, qj-). Here, notice that q^, denote the initial and final states of the automaton A. If there 
is no such automaton ^ G ^ is found, then the subroutine returns the scalar 0. 

It follows directly from Corollary 12.21 that Test has Properties (P1)-(P3). Furthermore, clearly Test 
runs in time poly(|C|,||^||), where 1 1 ^ 1 1 denotes the sum of the sizes of the automata in ^. 

Let / G F{xi, • • • ,x„} denote the noncommuting polynomial computed by the input circuit C. We 
now describe a recursive prefix-search based algorithm Interpolate that takes as input the circuit C and 
a binary string u, and computes all those monomials of / (along with their coefficients) which contain u 
as a prefix when encoded as strings using our encoding Xi Vi = 01*0. Clearly, in order to obtain all 
monomials of / with their coefficients, it suffices to run this algorithm with u = e, the empty string. 

In what follows, let denote the (m, s)-isolating automata family {Ap j} as constructed in Section 
12.31 with parameters m = d{n + 2) and s = t. As explained in Section I2.3[ we can compute Aq in time 
poly((i, n, t). 

Suppose / is the polynomial computed by the circuit C. We now describe the algorithm 
Interpolate (C, u) formally (Algorithm 1). 

The correctness of this algorithm is clear from the correctness of the Test subroutine and Lemma [2771 
To bound the running time, note that the algorithm never calls Interpolate on a string u unless u is the 
prefix of some string corresponding to a monomial. Hence, the algorithm invokes Interpolate for at most 
0{td{n + 2)) many prefixes u. Since ||[>4.o]uo|| and \Au\ are both bounded by poly(d, n, t) for all prefixes 
u, it follows that the running time of the algorithm is poly(|C|, d,n,t). We summarize this discussion in the 
following theorem. 

Theorem 2.9 Given any arithmetic circuit C computing a polynomial f G F{xi, • • • ,Xn} of degree at 
most d and with at most t monomials, we can compute all the monomials of f, and their coefficients, in time 
po\y(\C\,d,n,t). In particular, if C computes a sparse polynomial f of polynomial degree, then f can be 
reconstructed in polynomial time. 

3 Interpolation of Algebraic Branching Programs over noncommuting vari- 
ables 

In this section, we study the interpolation problem for black-box Algebraic Branching Programs (ABP) 
computing a polynomial in the noncommutative ring F{xi , • • • , x„}. We are given as input an ABP (defined 
below) P in the black-box setting, and our task is to output an ABP P' that computes the same polynomial 
as P. To make the task feasible in the black-box setting, we assume that we are allowed to evaluate P at any 
of its intermediate gates. 

We first observe that all the results in Section |2] hold under the assumption that the input polynomial / 
is allowed only black-box access. In the noncommutative setting, we shall assume that the black-box access 
allows the polynomial to be evaluated for input values from an arbitrary matrix algebra over the base field 
F. It is implicit here that the cost of evaluation is polynomial in the dimension of the matrices. Note that 
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Algorithm 1 The Interpolation algorithm 
1: procedure Interpolate(C,u) 
2: a, a', a" ^ 0. 

3: a ^ Te St (C, {^u}) > is the standard automaton that accepts only u 

4: if a = then 

5: Break. > u can not corresponds to a monomial of / 

6: else 

7: Output (u, a). t> is the binary encoding of a monomial of / with coefficient a 

8: end if 

Now the algorithm find all monomials (along with their coefficient) 
containing uO or ul as prefix in the binary encoding. 
9: if \u\ = d{n + 2) then 
10: Stop. 

11: else 

12: a' ^Test(C, [.4o]„o), «" ^Test(C, [Aq]ui)- 

13: end if 

14: if a' / then 

15: Interpolate(C, uO). t> There is some monomial in C extending -uO 

16: end if 

17: if a" / then 

18: Interpolate(C, til). > There is some monomial in C extending 

19: end if 

20: end procedure 
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this is a reasonable noncommutative black-box model, because if we can evaluate / only over F or any 
commutative extension of F, then we cannot distinguish the non-commutative polynomial represented by / 
from the corresponding commutative polynomial. We state the black-box version of our results below. 

Theorem 3.1 (Similar to Theorem 12.11 ) Given black-box access to any polynomial f = Yll=i'^i''^i ^ 
¥{xi, - ■ ■ ,Xn} and any finite automaton A = {Q,6,qo,qf), then the output Mout of f on A is such that 
Moutilo, If) = Yl-(zQf Ci, where Sl.={i\l<i<t and A accepts the string Wi corresponding to nii} 

Here the output of polynomial / on yl is defined analogously to the output of a circuit on A in Section [Z2l 

Corollary 3.2 (Similar to Corollary 12.31 1 Given black-box access to a polynomial f in ¥{xi, ■ ■ ■ ,Xn}, and 

any monomial m of degree dm, we can compute the coefficient ofm in f in time poly(dm,n). 

Finally we have, 

Theorem 3.3 (Similar to Theorem 12.91 1 Given black-box access to a polynomial f in F{xi, • • • , x„} of 
degree at most d and with at most t monomials, we can compute all the monomials of f, and their coeffi- 
cients, in time poly{d, n, t). In particular, if f is a sparse polynomial of polynomial degree, then it can be 
reconstructed in polynomial time. 

Our interpolation algorithm for noncommutative ABPs is motivated by Raz and Shpilka's IIRS05II algo- 
rithm for identity testing of ABPs over noncommuting variables. Our algorithm interpolates the given ABP 
layer by layer using ideas developed in Section[2](principally Corollary 13.21 ). 

Definition 3.4 hN91\ l/?505l/ An Algebraic Branching Program (ABP) is a directed acyclic graph with one 
vertex of in-degree zero, called the source, and a vertex of out-degree zero, called the sink. The vertices of 
the graph are partitioned into levels numbered 0, 1, • • • , d. Edges may only go from level i to level i + Ifor 
i G {0, ■ ■ • ,d — 1}. The source is the only vertex at level and the sink is the only vertex at level d. Each 
edge is labeled with a homogeneous linear form in the input variables. The size of the ABP is the number of 
vertices. 

Notice that an ABP with no edge between two vertices u and v on levels i and i + 1 is equivalent to 
an ABP with an edge from u to v labeled with the zero linear form. Thus, without loss of generality, we 
assume that in the given ABP there is an edge between every pair of vertices on adjacent levels. 

As mentioned before, we will assume black-box access to the input ABP P where we can evaluate the 
polynomial computed by P at any of its gates over arbitrary matrix rings over F. In order to specify the gate 
at which we want the output, we index the gates of P with a layer number and a gate number (in the layer). 

Based on IIRS05I . we now define a Raz-Shpilka basis for the level i of the ABP. Let the number of 
nodes at the i-th level be Gj and let {pi,P2, ■ ■ ■ ,PG^} be the polynomials computed at the nodes. We 
will identify this set of polynomials with the Gi x n* matrix Mi where the columns of Mi are indexed by 
different monomials of degree i, and the rows are indexed by the polynomials pj. The entries of the 
matrix Mj are the corresponding polynomial coefficients. A Raz Shpilka basis is a set of at most Gi linearly 
independent column vectors of Mi that generates the entire column space. Notice that every vector in the 
basis is identified by a monomial. 

In the algorithm we need to compute a Raz-Shpilka basis at every level of the ABP. Notice that at the 
level it is trivial to compute such a basis. Inductively assume we can compute such a basis at the level i. 
Denote the basis by Bi = {vi,V2, • • • ,Vk^} where vj G and ki < Gi. Assume that the elements of 
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this basis corresponds to the monomials {mi, m2, • • • , rnk^}. We compute a Raz Shpilka basis at the level 
z + 1 by computing the column vectors corresponding to the set of monomials {nijXs}je[ki],se[n] in -^i+i 
and then extracting the linear independent vectors out of them. Computing these column vectors requires 
the computation of the coefficients of these monomials, which can be done in polynomial time using the 
Corollary 13.21 Notice that we also know the monomials that the elements of this basis correspond to. 

We now describe the interpolation algorithm formally. As mentioned before, we will construct the output 
ABP P' layer by layer such that every gate of P' computes the same polynomial as the corresponding gate 
in P. Clearly, this task is trivial at level 0. 

Assume that we have completed the construction up to level i < d. We now construct level i + 1. This 
only involves computation of the linear forms between level i and level i + 1. Hence, there are ki < Gi 
vectors in the Raz-Shpilka basis at the ith level. Let the monomials corresponding to these vectors be 
B = {mi, • • • , rrifc.}. Fix any gate u at level i + 1 in P, and let pu be the polynomial compute at this gate 
in P. Clearly, 

Pu = ^Pj^j 

i=i 

where pj is the polynomial computed at the jth gate at level i, and £j is the Unear form labeling the edge 
between the jth gate at level i and u. 
We have, 

Gi 

Pu = ^Pj^j 

i=i 

j=l \m:\m\=i j \s=\ / 

m:\m\=i,s \i=l / 

= ^ mXs{Cm,as) 
m:\m\=i,s 

where Cm and as denote the vectors of field elements {cm)j and {ai'^)j respectively. Note that denotes 
a vector of unknowns that we need to compute. Each monomial mxs in the above equation gives us a linear 
constraint on a^. However, this system of constraints is exponential in size. To obtain a feasible solution for 
{os}se[n]' we observe that it is sufficient to satisfy the constraints corresponding only to monomials rnxg 
where m ^ B. All other constraints are simply linear combinations of these and are thus automatically 
satisfied by any solution to these. 

Now, for m G and s G {1, • • • , n}, we compute the coefficients of rnxg in pu and those of m in each 
of the Pi's using the algorithm of Corollary 13.21 Hence, we have all the linear constraints we need to solve 
for {as}s£[n]- Firstly, note that such a solution exists, since the linear forms in the black box ABP P give 
us such a solution. Moreover, any solution to this system of linear equations generates the same polynomial 
Pu at gate u. Hence, we can use any solution to this system of linear equations as our linear forms. We 
perform this computation for all gates u at the i + 1st level. The final step in the iteration is to compute the 
Raz-Shpilka basis for the level i + 1. 
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We can use induction on the level numbers to argue correctness of the algorithm. From the input black- 
box ABP P, for each level k, let Pjk, ^ ^ j ^ Gk denote the algebraic branching programs computed by 
P with output gate as gate j in level k. Assume, as induction hypothesis, that the algorithm has computed 
linear forms for all levels upto level i and, furthermore, that the algorithm has a correct Raz-Shpilka basis 
for all levels upto level i. This gives us a reconstructed ABP P' upto level i with the property, for 1 < /c < i, 
each ABP Pj^, I < j < Gk computes the same polynomials as the corresponding Pjk, I < j < Gk, where 
Pjj^ is obtained from P' by designating gate j at level k as output gate. Under this induction hypothesis, 
it is clear that our interpolation algorithm will compute a correct set of linear forms between levels i and 
i + 1. Consequently, the algorithm will correctly reconstruct an ABP P' upto level i + I along with a 
corresponding Raz-Shpilka basis for that level. 

We can now summarize the result in the following theorem. 

Theorem 3.5 Let P be an ABP of size s and depth d over F{xi , X2 , • • • , x„ } given by black-box access that 
allows evaluation of any gate of P for inputs Xi chosen from a matrix algebra Mk{¥) for a polynomially 
bounded value of k. Then in deterministic time poly (d, s,n), we can compute an ABP P' such that P' 
evaluates to the same polynomial as P. 

4 Noncommutative identity testing and circuit lower bounds 

In Section |2] we gave a new deterministic identity test for noncommuting polynomials which runs in poly- 
nomial time for sparse polynomials of polynomially bounded degree. 

However, the real problem of interest is identity testing for polynomials given by small degree non- 
commutative circuits for which Bogdanov and Wee [BW051 give an efficient randomized test. When the 
noncommutative circuit is a formula, Raz and Shpilka LRSOSJ have shown that the problem is in determin- 
istic polynomial time. Their method uses ideas from Nisan's lower bound technique for noncommutative 
formulae EUl. 

How hard would it be to show that noncommutative PIT is in deterministic polynomial time for circuits 
of polynomial degree? In the commutative case, Impagliazzo and Kabanets IIKI03I have shown that deran- 
domizing PIT implies circuit lower bounds. It implies that either NEXP ^ P/poly or the integer Permanent 
does not have polynomial-size arithmetic circuits. 

We observe that this result also holds in the noncommutative setting. I.e., if noncommutative PIT has 
a deterministic polynomial-time algorithm then either NEXP ^ P/poly or the noncommutative Permanent 
function does not have polynomial-size noncommutative circuits. 

As noted, in some cases noncommutative circuit lower bounds are easier to prove than for commutative 
circuits. Nisan fN911 has shown exponential-size lower bounds for noncommutative formula size and further 
results are known for pure noncommutative circuits [ N911lRS05l . However, proving superpolynomial size 
lower bounds for general noncommutative circuits computing the Permanent has remained an open problem. 

The noncommutative Permanent function Perm{xi, • • • , x„) G R{xi, • • • , Xn} is defined as 

n 

Perm{xi,--- ,x„)= ^ H^^.'^W' 

a&Sn i=l 

where the coefficient ring R is any commutative ring with unity. Specifically, for the next theorem we choose 

R = Q. 
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Theorem 4.1 If PIT for noncommutative circuits of polynomial degree C{xi, ■ ■ ■ ,Xn) € Q{xi, • • • 

is in deterministic polynomial-time then either NEXP ^ P/poly or the noncommutative Permanent function 

does not have polynomial- size noncommutative circuits. 

Proof. Suppose NEXP C P/poly. Then, by the main result of IIIKW02II we have NEXP = MA. Furthermore, 
by Toda's theorem MA C p^ermz^ where the oracle computes the integer permanent. Now, assuming PIT 
for noncommutative circuits of polynomial degree is in deterministic polynomial-time we will show that the 
(noncommutative) Permanent function does not have polynomial-size noncommutative circuits. Suppose to 
the contrary that it does have polynomial-size noncommutative circuits. Clearly, we can use it to compute the 
integer permanent as well. Furthermore, as in IIKI03II we notice that the noncommutative n x n Permanent 
is also uniquely characterized by the identities pi{x) = x and Pi{X) = Yl]=i ^ijPi-ii^j) for 1 < z < n, 
where X is a matrix of i"^ noncommuting variables and Xj is its j-th minor w.r.t. the first row. I.e. if arbitrary 
polynomials Pi,l < i < n satisfies these n identities over noncommuting variables Xij,l < i,j < nif and 
only if Pi computes the i x i permanent of noncommuting variables. The rest of the proof is exactly as in 
Impagliazzo-Kabanets IIKI03II . We can easily describe an NP machine to simulate a p^^''™z computation. 
The NP machine guesses a polynomial-size noncommutative circuit for Perm on m x m matrices, where 
m is a polynomial bound on the matrix size of the queries made. Then the NP verifies that the circuit 
computes the permanent by checking the m noncommutative identities it must satisfy. This can be done in 
deterministic polynomial time by assumption. Finally, the NP machines uses the circuit to answer all the 
integer permanent queries. Putting it together, we get NEXP = NP which contradicts the nondeterministic 
time hierarchy theorem. ■ 



5 Schwartz-Zippel lemma over finite rings 

In this section we give a generalization of Schwartz-Zippel Lemma to finite commutative rings and apply it 
for identity testing of black-box polynomials in R[xi, • ■ ■ , where is a finite commutative ring with 
unity whose elements are uniformly encoded by strings from {0, 1}™ with a special string e denote unity, 
and the ring operations are performed by a ring oracle. 

We recall some facts about finite commutative rings MB 741 IAM69I . A commutative ring R with unity 
is a local ring if R has a unique maximal ideal M. An element r G R is nilpotent if r" = for some 
positive integer n. An element r e i? is a unit if it is invertible. I.e. rr' = 1 for some element r' G R. Any 
element of a finite local ring is either a nilpotent or a unit. An ideal / is a prime ideal of R if a6 € / implies 
either a G / or 6 G /. For finite commutative rings, prime ideals and maximal ideals coincide. These facts 
considerably simplify the study of finite commutative rings (in contrast to infinite rings). 

The radical of a finite ring R denoted by Rad(i?) is defined as the set of all nilpotent elements, i.e 

Rad{R) = {r G I 3n > s.t r" = 0} 

The radical Rad(i?) is an ideal of R, and it is the unique maximum ideal if i? is a local ring. Let m 
denote the least positive integer such that for every nilpotent r ^ R, = 0, i.e (Rad(i?))'" = 0. Let R be 
any finite commutative ring with unity and {Pi,P2, - ■ ■ , P^} by the set of all maximal ideals of R. Let Ri 
denote the quotient ring R/P[^ for I < i < I. Then, it is easy to see that each Ri is a local ring and Pi/P^ 
is the unique maximal ideal in Ri. We recall the following structure theorem for finite commutative rings. 
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Theorem 5.1 ( IIB741 . Theorem VI.2, page 95) Let R be a finite commutative ring. Then R decomposes 
(up to order of summands) uniquely as a direct sum of local rings. More precisely 

R = Ri e R2 ® ■ ■ ■ (B Re, 

via the map </>(r) = (r + Pf, r + P^,--- ,r + P^), where Ri = R/P^ and Pi,l < i < i are all the 
maximal ideals of R. 

It is easy to see that is a homomorphism with trivial kernel. The isomorphism (j) naturally ex- 
tends to the polynomial ring R[xi,X2, - ■ ■ ,Xn\, and gives the isomorphism (p : R[xi,X2, - ■ ■ 

®i=lRi[xi,X2, - ■ ■ 

5.1 The Schwartz-Zippel lemma 

We observe the following easy fact about zeros of a univariate polynomial over a ring. 

Proposition 5.2 Let R be an arbitrary commutative ring containing an integral domain D. If f E R[x] is 
a nonzero polynomial of degree d then f{a) = Ofor at most d distinct values of a € D. 

Proof. Suppose 01,02, • • • ,0^+1 G -D are distinct points such that /(oj) = 0,1 < i < d + \. Then 
we can write f{x) = (x — ai)q{x) for q{x) € R[x\. Now, dividing q{x) by x — 02 yields q{x) = 
(x — a2)q'{x) + 9(02), for some q'{x) S R[x]. Thus, /(x) = (x — ai)(x — a2)q'{x) + (x — 01)5(02). 
Putting X = 02 in this equation gives (02 — 01)5(02) = 0. But 02 — oi is a nonzero element in D and 
is hence invertible. Therefore, 5(02) = 0. Consequently, /(x) = (x — oi)(x — a2)q'{x). Applying 
this argument successively for the other Oj finally yields /(x) = g{x)Y\'l^l{x — Oj) for some nonzero 
polynomial g{x) € R[x]. Since nf=i ~ ^i) ^ monic polynomial, this forces deg(/) > d + 1 which is 
a contradiction. ■ 

Consider a polynomial / S i?[xi, • • • , x„]. Let R' denote the ring -R[xi, • • • , x„_i]. Then we can con- 
sider / as a univariate polynomial in i?'[x„] and apply Lemma [5^ since R' contains the integral domain D 
that R contains. Now, by an easy induction argument on the number of variables as in IITZ06I Lemma D.3], 
we can derive the following analog of the Schwartz-Zippel test for arbitrary commutative rings containing 
large enough integral domains. 

Lemma 5.3 Let R be an arbitrary commutative ring containing an integral domain D. Let g G 
R[xi , X2 , • • • , Xn\ be any polynomial of degree at most d. If g ^ 0, then for any finite subset A of D 
we have 

nd 

ProbaiGA,-,a„GAb(ai,a2, • • • ,o„) = 0J < |-^. 

In general Lemma l53] is not applicable, because the given ring may not contain a large integral domain. 
We explain how to get around this problem in the case of finite local commutative rings. Because of the 
structure theorem, it suffices to consider local rings. 

Let i? be a finite local ring with unity given by a ring oracle. Suppose the characteristic of R is for a 
prime p. If the elements of R are encoded in {0, 1}™ then 2™ upper bounds the size of R. Let M > 2"^, to 
be fixed later in the analysis. Let U = {ce | < c < M}, where e denotes the unity of R. We will argue that, 
for a suitable M, if we sample ce uniformly from U then (c mod p) e is almost uniformly distributed in ZpC. 
Pick X uniformly at random from Zm and output xe. Let a £ Zp and P = Prob[x = o (mod p)]. The x for 
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which3; = a(modp)area,a+p, ••• , o+p[^J. Let M' = [^J. Then P = M' + l/M < + 

Clearly, P > ^(1-2^). Foragivene > 0, choose M = 2™+Ve- Then < P < So (xmodp)e 

is |-uniformly distributed in ZpC. 

Lemma 5.4 Le? R be a finite local commutative ring with unity and of characteristic p"^ for a prime p. The 
elements of R are encoded using binary strings of length m. Let g G R[xi,X2, • • • , x„] be a polynomial of 
degree at most d and e > be a given constant. Ifg^O, then 

fid 6 

Proba^^u,:- ^a„eu[giai,a2, • • • = 0] < — (1 + -), 

p 2 

where U = {ce \ < c < M} and M > 2""+Ve. 
Proof. Consider the following tower of ideals inside R : 

R^pR^ P^R 2 • • • 5 p"R = {0}. 

Let k be the integer such that g G p^R[xi, ■ ■ ■ ,Xn\ \ p^^^R[xi, ■ ■ ■ Write g = p'^g. Consider 

the ring, / = {r G i? | p^r = 0}. Clearly, / is an ideal of R. Let S = R/{I + pR). We claim 
that 5 is a nonzero polynomial in S[xi, • • • , Otherwise, let ^ G (I + pR)[xi, • • • , Xn]. Write g = 
gi + 52, where gi G /[xi,-- - ,Xn] and g2 G pR[xi,--- ,x„]. Then p'^^ = p^g2 as p^gi = 0. But 
52 S • • • , which contradicts the fact that k is the largest integer such that g G p^R[xi, • • • , Xn\- 

Thus g is a nonzero polynomial in ^[xi, • • • , Xn]- Now we argue that S contains the finite field Fp, and then 
using the Lemma 1531 the proof of the lemma will follow easily. To see a copy of Fp inside S, it is enough 
to observe that {i + (/ + pR) jO<z<p — l}asa field is isomorphic to Fp. Clearly the failure probability 
for identity testing of g in i?[xi, • • • , Xn] is upper bounded by the failure probability for the identity testing 
of g in ^[xi, • • • , Xn]- Consider the natural homomorphism 4> : U ^ Fp, given by 0(ce) = c mod p. Thus 
if we sample uniformly from U, using we can ^-uniformly sample from Fp. Notice that for any b G Fp, 

< Prob^^e^M [x = mod p] < Now using the Lemma [531 we conclude the following : 

fid € 

ProbaiGC/,a2Gt/-a„e(7b(air-- ,«n) =0] < Prob6^gFj, -6„eFp[5(^ir-- ,K) = 0] < — (1 + -), 

p z 

where 6j = Oj (mod p). The additional factor of (1 + |) comes from the fact that we are only sampling 
|-uniformly from Fp. This can be easily verified from the proof of Lemma 1531 Hence we have proved the 
lemma. ■ 



6 Randomized Polynomial Identity Testing over finite rings 

In this section we study the identity testing problem over finite commutative ring oracle with unity. For the 
input polynomial, we consider both black-box representation and circuit representation. First we consider 
the black-box case. Our identity testing algorithm is a direct consequence of Lemma 15 .4 1 

Theorem 6.1 Let R (which decomposes into local rings as 0^^^i?J be a finite commutative ring with unity 
given as a oracle. Let the input polynomial f G -R[xi, • • • , x„] of degree at most d be given via black-box 
access. Suppose Ri 's is of characteristic Let e > be a given constant. Ifpi > kndfor all i, for some 
integer k > 2, we have a randomized polynomial time identity test with success probability 1 — -^(1 + |). 
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Proof. Consider the natural isomoi-phism ip : R[xi,X2, ■ ■ ■ , Xn] (Sf^iRi[xi,X2, • • • , Xn]- Let (/>(/) = 
(/i) /2) • ■ ■ 5 fe)- If / ^ then ^ for some i G [£], where /j G ^2, ■ ■ ■ , Xn]- Fix such an i. Our 

algorithm is a direct application of Lemma [J!4l Define U = {ce | < c < M}, assign values for the Xj's 
independently and uniformly at random from U, and evaluate / using the black-box access. The algorithm 
declares / ^ if and only if the computed value is nonzero. By Lemma \5A[ our algorithm outputs the 
correct answer with probability l-^(l + f)>l-^(l + f).[!l ■ 

The drawback of Theorem 16. H is that we get a randomized polynomial-time algorithm only when pi > 
knd. 

However, when the polynomial / is given by an arithmetic circuit we will get a randomized identity test 
that works for all finite commutative rings given by oracle. This is the main result in this section. A key 
idea is to apply the transformation from IIAB03II to convert the given multivariate polynomial to a univariate 
polynomial. The following lemma has an identical proof as IIAB031 Lemma 4.5]. 

Lemma 6.2 Let R be an arbitrary commutative ring and f G R[xi,X2, • • • , x„] be any polynomial of 
maximum degree d. Consider the polynomial g{x) obtained from f{xi,X2, • • • by replacing Xi by 
xi'^+'^y i.e g{x) = f{x,x^'^~^^\ ■ ■ ■ ,x^'^~^^^" ). Then f = over R[xi, ■■ ■ , Xn] if and only if g = over 
R[x]. 

By Lemma [d!2l it suffices to describe the identity test for a univariate polynomial in R[x] given by an 
arithmetic circuit. Notice that if deg(/) = d then we can bound deg{g) by d{d + which we denote 

by D. Our algorithm is simple and essentially the same as the Agrawal-Biswas identity test over the finite 
ring Zn [ AB03 |. 

We will randomly pick a monic polynomial q{x) G U[x] of degree \logO{D)~\. Then we carry out a 
division of f{x) by the polynomial q{x) and compute the remainder r(x) G R[x]. Our algorithm declares 
/ to be identically zero if and only if r(x) = 0. Notice that we will use the structure of the circuit to carry 
out the division. At each gate we carry out the division. More precisely, if the inputs of a + gate are the 
remainders ri(x) and r2{x), then the output of this + gate is ri + r2. Similarly if ri and r2 are the inputs of 
a * gate, then we divide ri{x)r2{x) by q{x) and obtain the remainder as its output. Crucially, since q{x) is 
a monic polynomial, the division algorithm will make sense and produce unique remainder even if R[x] is 
not a U.F.D (which is the case in general). 

We now describe the pseudocode of the identity testing algorithm (Algorithm 2). Our algorithm takes 
as input an arithmetic circuit C computing a polynomial / G R[xi, X2, ■ ■ ■ , Xn] of degree at most d and an 
e > 0. 

We will now prove the correctness of the above randomized identity test in Lemmas 16.31 16.41 and 16.51 

Lemma 6.3 Let R be a local commutative ring with unity and of characteristic p°' for some prime p and 
integer a > 0. Let g be a nonzero polynomial in R[x\ such that g G p^R[x] \ p^^'^Rlx] for k < a. Let 
/ = {r G i? I p'^r = 0}, g = p^g where g pR and q is a monic polynomial in R[x]. If q divides g in R, 
then q divides g in R/ {I + pR). 

Proof. As q{x) divides g{x) in R[x\, we have g{x) = q{x)qi{x) for some polynomial qi{x) G R[x\. 
Suppose g{x) = q{x)q{x) + r{x) in R[x\ where the degree of r{x) is less than the degree of q{x). Also note 

'Notice that we have to compute ce using the ring oracle for addition in R. Starting with e, we need to add it c times. The 
running time for this computation can be made polynomial in log c by writing c in binary and applying the standard doubling 
algorithm. 
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Algorithm 2 The Identity Testing algorithm 



1: procedure IdentityTesting(C,e) 
2: for i = 1, n do 

3: Xi <— a;('^+^)' > Univariate transformation 

4: end for 

5: g{x) ^ C{x, x^-^+i) , • • • , x^'^+i)""' ). 

6: D^d{d + l)^~^. [> The formal degree of (7(x) is at most Z) 

7: Choose a monic polynomial q{x) G U[x] of degree [log uniformly at random. 

8: Divide g{x) by q{x) and compute the remainder r{x). t> The division algorithm uses the structure 
of the circuit. 

9: if r(x) = then 
10: C computes a zero polynomial. 

11: else 

12: C computes a nonzero polynomial. 

13: end if 

14: end procedure 



that the division makes sense even over the ring as q{x) is monic. We want to show that r{x) G {I + pR) [x]. 
We have the following relation in R[x]: 

9 = mi= p^g = p^m + p^r. 

So, p^r = q{qi — p^q). If (gi — p^q) ^ in R[x], then the degree of the polynomial q{qi — p'^q) 
is strictly more than the degree of p^r as q is monic and degree of q is more than the degree of r. Thus 
{ill ~ P^qq) = in R[x\ forcing p^r = in R[x\. So by the choice of I, we have r{x) G I[x\. Thus 
r{x) G (I + pR)[x\. Notice that in the Lemma [541 we have already proved that g{x) ^ in S[x\, where 
S = R/{I + pR). Also q is nonzero in S[x\ as it is a monic polynomial. Hence we have proved that q{x) 
divides g{x) over S[x\. ■ 

The following lemma is basically Chinese remaindering tailored to our setting. 

Lemma 6.4 Let R be a local ring with characteristic Let g{x) G \ p^^^R[x] for some k > 0. 

Let g{x) = p^g{x) and / = {r G i? | p^r = 0}. Suppose qi{x),q2{x) are two monic polynomials over 
R[x\ such that each of them divides g in R[x\. Moreover, suppose there exist polynomials a(x), b{x) G R[x] 
such that aqi + bq2 = 1 in R/{I + pR)- Then qiq2 divides g in R/{I + pR)- 

Proof. By the Lemma [631 we know that qi and q2 divide ^ in + pR). Let g = qiqi and g = (72^2 
in R/{I + pR). Let qi = q2qz + r m R/{I + pR). So, g = qiq2q^ + qi^- Substituting g292 for g, 
we get 52(^2 — QiQz) = <lif- Multiplying both side by a and substituting aqi{x) = 1 — bq2, we get 
<l2[0'{q2 — Ills) + br] = r. If r ^ in R/ (/ + pR), we arrive at a contradiction since 52 is monic and thus 
the degree of 52 [0(^2 — Q1Q3) + br] is more than the degree of r. ■ 

Let f{x) be a nonzero polynomial in R[x] of degree at most D. The next lemma states that, if we pick 
a random monic polynomial q{x) G U[x] (U is similarly defined as before)of degree d ^ log 0{D), with 
high probability, q{x) will not divide f{x). 
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Lemma 6.5 Let R be a commutative ring with unity. Suppose f{x) G R[x] is a nonzero polynomial of 
degree at most D and e > be a given constant. Choose a random monic polynomial q{x) of degree 
d = [log ^T^l in U[x]. Then with probability at least q{x) will not divide f{x) over R[x]. 



2 



Proof. Let R = 0^ Ri is the local ring decomposition of R. As / is nonzero in R[x], there exists j such 
that fj = <j)j{f) is nonzero in Rj[x\. Clearly, we can lower bound the required probability by the probability 
that qj = (jijiq) does not divide fj in Rj[x\. Let the characteristic of Rj is p". If qj divides fj in 
then it also divides over Rj/{Ij + pRj)- It is shown in the proof of the Lemma [54l Fj, C Rj/ {Ij + pRj). 

Now the number of irreducible polynomials in Fp of degree d is at least - — ^ — . Let t = ^ — ^ — . Let 
Qix) = Eto bix' + e ¥p[x] be a monic polynomial. Now if a monic polynomial P{x) of degree d is 
randomly chosen from U[x] then, Prob[P(a;) = q{x) mod p] = ^^=oli'^^-b')/p\+'^ > _ Again, 

choosing M > (i2™'+^/e, we get Prob[P(2;) = q{x) modp] > (1 - e/2)/p'^. 

So, the probability that qj is an irreducible polynomial in ¥p[x] is at least t{l — e)/p'^ > (1 — e)/2d. 
Let fj G p'^Rj [x] \ p'^^^Rj [x]. So we can write fj = p'^f, where /' € Rj [x] \ pRj [x]. By the Lemma [631 
qj divides f m R/ {Ij + pR). Also, by the Lemma l64l the number of different monic polynomials that are 
irreducible in Fp and divides /' in Rj/ {Ij + pRj) is at most D/d. In the sample space for q, any monic 
polynomial of degree d in Rj/ {Ij + pRj) occurs at most + 1)*^ times. So the probability that a random 

— +1)'* 

monic irreducible polynomial q will divide / is at most < + 3)"^ < J^?- So a random 

monic polynomial q E U[x\ (which is irreducible in Fp with reasonable probability) will not divide f{x) 
with probability at least ^ - ^ > ^ for d > [log . ■ 

The correctness of Algorithm 2 and its success probability follow directly from Lemma [631 Lemma [6!4l 
and Lemma [631 

In particular, by Lemma I6.5[ the success probability of our algorithm is at least where t = 
[log Y^^. As is an inverse polynomial quantity in input size and the randomized algorithm has one- 
sided error, we can boost the success probability by repeating the test polynomially many times. We sum- 
marize the result in the following theorem. 

Theorem 6.6 Let R be a finite commutative ring with unity given as an oracle and f € R[x\be a polyno- 
mial, given as an arithmetic circuit. Then in randomized time polynomial in the circuit size and log we 
can test whether f = in R[x]. 

Randomized polynomial time identity testing for multivariate polynomials / € R[xi, • • • , Xn] given by 
arithmetic circuits follows from Theorem l6.6l and Lemma [631 

Theorem 6.7 Let R be a commutative ring with unity given as an oracle. Let f be a polynomial in 
R[xi, X2, ■ ■ ■ , Xn] of formal degree at most d, is given by an arithmetic circuit over R. Then in randomized 
time polynomial in circuit size and log \R\ we can test whether f = in R[xi,X2, ■ ■ ■ , Xn]- 

Remark 6.8 The randomized polynomial-time identity test ofBogdanov and Wee l[BW05V for noncommuta- 
tive circuits of polynomially bounded degree in ¥{xi, • • • , x„}/or afield ¥, can be extended to such circuits 
over any commutative ring R with unity, where R is given by a ring oracle. This follows from the fact that 
the Amitsur-Levitzki theorem is easily seen to hold even in the ring R{xi, ■ ■ ■ , The easy details are 
given in the appendix. 



^An alternative proof of this lemma based on IAB03I Lemma 4.7] is given in the appendix. 
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Remark 6.9 Finally, we note that the results in Section |2] carry over without changes to noncommuting 
polynomials in R{xi, ■ ■ ■ ,Xn}, where R is a commutative ring with unity given by a ring oracle. 
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A Noncommutative identity testing over commutative coefficient rings 



Here we extend the noncommutative identity testing of Bogdanov and Wee IIBW05II to over R{xi, • • • ,Xn} 
where R is an arbitrary commutative ring with unity. Our algorithm is a combination of Amitsur-Levitzki's 
theorem and the Theorem 16.71 We first briefly discuss the Amitsur-Levitzki's result tailored to our appli- 
cation and the result of IIBW05II . Let Mfc(F) be the k x k matrix algebra over F. The following algebraic 
lemma was the key result used in IIBW05II . 

Lemma A.l ML50I \GZ05\I M/;(F) does not satisfy any non-trivial polynomial identity of degree < 2k. 

Based on Lemma IATTI a noncommutative version of the Schwartz-Zippel lemma over F{xi, • • • , x„} 
is described in IIBWOSI . We first give an intuitive description of the identity testing algorithm in IIBW05II . 
Assume / € F{xi, • • • , Xn} is of degree d and is given by an arithmetic circuit. Fix k such that k > \d/2] . 
Consider a field extension F' of F such that [F'| >> d. The idea is to evaluate the circuit on random k x k 
matrices from Mfc(F'). We think each entry of the matrix as an indeterminate and view the k"^ indeterminates 
as commuting variables. So at the output of the circuit, we get a. k x k matrix such that each of its entries 
are polynomials in commuting variables. Lemma IATT] guarantees that / = in F{xi, • • • , x„} if and only 
if each of the k"^ polynomials computed as the entries of the matrix at the output gate, are identically zero. 
Then we get a lower bound of the success probability via commutative Schwartz-Zippel lemma. 

We give a randomized polynomial time identity testing algorithm over R{xi, • • • , x„} where R is any 
finite commutative ring with unity and is given by a ring oracle. Our algorithm is based on the observation 
that Lemma IaTT] is valid over Mf^{R). For the sake of completeness, we briefly discuss the proof of the 
Lemma IATT] tailored to R. The following fact is the key in proving the Lemma IATT] 

Fact A.l IIGZ051 page 7] Let A be an ¥ -algebra spanned by a set B over F. If the algebra A satisfies an 
identity of degree k in F{xi, • • • , then it satisfies a multilinear identity of degree < k. 

We observe that the result of the Fact lA.2l holds. even if A be an algebra over R. Proof is analogous to 
the proof of the Fact lA.2l Following IGZ05 . page 7], we call a polynomial / multilinear if every variable 
occurs with degree exactly one in every monomial of /. 

Lemma A.3 Let A be an R-algebra such that A satisfies an identity of degree k. Then it satisfies a multi- 
linear identity of degree k. 

Proof. The lemma follows from an identical argument to that in the proof of Theorem 1.3.7 in IIGZ05II . ■ 

Using Lemma IA31 it follows that Lemma IATT] extends to Mk{R). The proof is analogous to the proof 
of Theorem 1.7.2 in IIGZ051 . Let / be an identity for Mk{R) of degree < 2k. By the Lemma IA31 we can 
assume that / is multilinear. Also, multiplying / by the new variables from the right, we can assume that 
the degree of f is 2k — 1. Let, 



with ai ^ 0, where 1 denotes the identity permutation. Let Cij be the k x k matrix with unity (of R) at 
the {i,j)-th entry and zero in all other entries. It is easy to see that /(en, ei2, 622, £23) ■ • • , efc-i.fei efcfe) = 
ttieifc 7^ 0, since xi ■ ■ ■ X2k~i is the only monomial that does not vanish during the evaluation. So / is not 
an identity for Mf^{R). The fact that i? is a ring with unity is crucially used. 
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Lemma A.4 Let R be a finite commutative ring with unity. Then Mk{R) does not satisfy any polynomial 
identity of degree < 2k. 

Now we a randomized polynomial time identity testing algorithm over R{xi, • ■ ■ , Xn}- 

Theorem A.5 Let f E R{xi, ■ ■ ■ ,Xn} be a polynomial of degree d, given by a noncommutative arithmetic 
circuit C. R is given as a ring oracle and its elements are encoded using binary strings of length m. Then 
there is a randomized polynomial time algorithm (poly(n,d,m)) to test if f = over R{xi, ■ ■ ■ , 

Proof. Let xi,X2, • • • ,x„ are the indeterminates in C. Choose k = \d/2] + 1. Replace each x^ by a 
k X k matrix over the set of indeterminates {y]^ }i<j,^<fc- Once we replace Xi by matrices , the inputs and 
the outputs of the gates will be matrices. Replace each addition (multiplication) gate by a block of circuits 
computing the sum (product) of two k x k matrices (without loss of generality, assume that the fan-in of 
all gates is two). This can be easily achieved using 0(/c^) gates. Let C be the arithmetic circuit obtained 
from C by these modifications. Clearly, C computes a function from F"^'^^ — s- F'^^ and the size of C is only 
polynomial in the size of C. Denote by Y the variable list , • ' ' > Vkk > " " " ? Vii > ' ' ' > Vkk)- Then, 

C{Y) = {P^{Y),... ,Pk2{Y)). 

Also, by the Lemma lA!4l Mk{R) does not satisfy any identity of degree < 2k over R{xi, ■ ■ ■ , x„}. So / 
satisfies Mk{R) if and only if / = in R{xi, • • • , which equivalently implies that Pj = over R\Y] 
for all i. Notice that the degree of is < d. Now we appeal to the Theorem 16.71 in order to test whether 
Pj = in time poly(n, d,m). ■ 

Bogdanov and Wee in IIBW05II evaluate the noncommutative circuit over a field extension F' of F in 
case F is a small field compared to the degree. In our proof of Theorem IA.5[ when coefficients come from 
the ring R, we avoid working in a ring extension and instead apply Theorem 16.71 



B Alternative proof of Lemma 163 



Let P be a finite commutative ring with unity (denoted e) and its elements uniformly encoded in {0, 1}'". 

Recall we need to show the following: if we divide a nonzero polynomial g{x) G R[x] of degree D by 
a random monic polynomial q{x) € U[x] of degree log 0{D) then with high probability we get a nonzero 
remainder. Recall from Section[6]that U = {ke \ < k < M - 1}, where M > 2^^^ je. 

Indeed, Agrawal and Biswas essentially show in I AB031 Lemma 4.7] that the above result holds for the 
special case when the ring R is the ring of integers modulo t, where t is any positive integer given in 
binary. In Section [6] we gave a self-contained proof of Lemma [631 In the sequel we give a different proof 
which applies the IIABOBI result for and brings out an interesting property of the division algorithm. 

Let n denote the characteristic of the ring R. Then sampling from C/[x] amounts to almost uniform 
sampling from the copy of namely Z„e[x], contained in R\x\ as a subring. Since (P, +) is a finite 

abelian group, by the fundamental theorem for abelian groups, we can write (P, +) as a direct sum P = 
©i=i '^rii^i, where ei, ■ ■ ■ , forms an independent generating set for (P, +), and rii is the additive order 
of Cj for each i. Notice that the 1cm of ni, • • • , is the ring's characteristic n. This decomposition extends 
naturally to the additive group (P[x], +) to give 

k 

P[x] = 0Z,Jx]ei. (2) 

i=l 
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Thus, every polynomial g{x) G R[x] can be uniquely written as g{x) = J2i=i9'i.i^)^i' where gi is a 
polynomial with integer coefficients in the range 0, • • • , — 1 for each i. Clearly, dividing g{x) by q{x) 
amounts to dividing each term in J2i=i 9i{^)^i- The following claim tells us how to analyze this term by 
term division. More precisely, we analyze the quotient and remainder when we divide gi{x)ei G R[x\ by 
q{x) £ Zn[x] Zne[x] C R[x]). 

Claim B.l Let gi{x) = q{x)q'{x) + r'{x) be the quotient and remainder when we divide gi{x) by q{x) in 
the ring Z„Jx]. Let gi{x)ei = q{x)q"{x) + r"{x) be the quotient and remainder when we divide gi{x)ei by 
q{x) in the ring R[x\. Then q'{x)ei = q"{x) and r'{x)ei = r"{x). 

This claim is somewhat surprising because Equation |2] only gives us a group decomposition of R[x\ and not 
a ring decomposition. Thus, it is not clear why division in the ring Z„. [x] can be related to division in R[x\. 
Indeed, the crucial reason why we can relate the two divisions is because the divisor polynomial q{x) lives 
in the copy of 1,n[x\ inside R[x\. 

To see the claim, we will carry out the division of gi{x) by q{x) over R[x\. Since both gi and q{x) have 
integer coefficients, this amounts to carrying out division in 1,n[x\ which yields, say, gi{x) = q{x)qi{x) + 
r\{x). We can also write qi{x) = a{x) + nih{x) and ri{x) = c(x) + njd(x). Then, over notice that we 
must have gi{x) = q{x)a{x)+c{x). Therefore, a{x) = q'{x) and c{x) = r'{x). Now, multiplying both sides 
by Ci we will get gi(x)ej = a{x)ei + nieib{x) = a{x)ei = q'{x)ei. Similarly, we get ri(x)ej = c(x)ej = 
r'{x)ei. Furthermore, again multiplying both sides by e^, we also get gi{x)ei = q{x)qi{x)ei + ri(x)ej. 
Hence, q"{x) = qi{x)ei = q'{x)ei and r"{x) = ri{x)ei = r'{x)ei. This proves the claim. 

A consequence of the claim is the following nice property of the division algorithm: in order to divide 
g{x) by q{x) over the ring R, for each i we can carry out the division of gi{x) by q{x) over the ring and 
obtain the quotients and remainders: 

gi{x) = q{x)q[{x) +r[{x). 
Then we can put together the term by term divisions to obtain 

k k 

g{x) = q{x)(^q[{x)ei) + C^r[{x)ei). (3) 

i=l 1=1 

More precisely, when we divide g{x) by q{x) in R[x\, the quotient is '}2\=i ^^i^ the remainder is 

J2i=i Now, since g G R[x] is nonzero, there is an index j such that gj[x] € [x] is nonzero. 

Furthermore, since nj is a factor of n, the polynomial q{x) modulo nj is still an almost uniformly distributed 
random monic polynomial. It follows from the Agrawal-Biswas result IIAB03I Lemma 4.7] applied to 
division of gj{x) by q{x) over that r^(x) will be nonzero with high probability. Consequently, by 
Equation |3] the remainder J2i=i on dividing g{x) by q{x) in the ring R[x] is also nonzero with the 

same probability. 
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